I have a 10MB Internet connection going through a 7206, then two ASAs in failover and then a Cisco CSS with a cluster of 3 web servers that receive constant HTTP transactions. The web servers hold a single web page with a single public IP address that is under attack.
I have a Netflow Analizer showing thousands of HTTP connections (valid HTTP connections, getting a 200 ok response from the web server)... but trying to reach an unexistent directory.
Thousands and thousands of these connections from thousands of different IP addresses. (Besides all the valid HTTP transactions)
My ISP is telling me that since all the HTTP requests are valid, there's no way for them to ''block'' this attack.
I am thinking about an IPS Sensor, creating a signature that blocks that traffic specifically, but if the directory or the attack changes, we need to constantly modify the signatures...
We've tried the Cisco Traffic Anomaly Detector and Guard and it did not detect the traffic as an attack!
Can somebody point me out in the right direction for an approach to this situation?
First you need to analyze those source IPs (use Whois), sometimes one changes the structure of their website and the search engine bots (e.g. google) keep referencing the old pages. What I mean to say is that, its not always an 'attack'. Check the source IPs of the HTTP requests!
Your web-server should return the correct HTTP response code (404) for the search engines to remove your pages from their index (This is true even in normal circumstances).
If its a legitimate attack, you can block it both at the ASA or at the IPS Level. However this sort of functionality is better achieved through Application Firewalls (WAF).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :